diff --git a/README.md b/README.md
index 255f439..a004d22 100644
--- a/README.md
+++ b/README.md
@@ -169,8 +169,6 @@ All endpoints (except `/api/auth/*` and `/healthz`) require authentication via o
 
 Base URL: `https://tickets.thewrightserver.net/api`
 
-`POST /api/auth/login` is rate-limited to 10 attempts per 15 minutes per IP.
-
 ---
 
 ### Authentication
diff --git a/server/package-lock.json b/server/package-lock.json
index a144164..49d14bc 100644
--- a/server/package-lock.json
+++ b/server/package-lock.json
@@ -14,7 +14,6 @@
         "dotenv": "^16.4.7",
         "express": "^4.21.2",
         "express-async-errors": "^3.1.0",
-        "express-rate-limit": "^7.5.0",
         "jsonwebtoken": "^9.0.2",
         "multer": "^2.1.1",
         "node-cron": "^3.0.3",
@@ -1917,21 +1916,6 @@
         "express": "^4.16.2"
       }
     },
-    "node_modules/express-rate-limit": {
-      "version": "7.5.1",
-      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz",
-      "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/express-rate-limit"
-      },
-      "peerDependencies": {
-        "express": ">= 4.11"
-      }
-    },
     "node_modules/fast-copy": {
       "version": "4.0.3",
       "resolved": "https://registry.npmjs.org/fast-copy/-/fast-copy-4.0.3.tgz",
diff --git a/server/package.json b/server/package.json
index 013f6d3..7a13082 100644
--- a/server/package.json
+++ b/server/package.json
@@ -20,7 +20,6 @@
     "dotenv": "^16.4.7",
     "express": "^4.21.2",
     "express-async-errors": "^3.1.0",
-    "express-rate-limit": "^7.5.0",
     "jsonwebtoken": "^9.0.2",
     "multer": "^2.1.1",
     "node-cron": "^3.0.3",
diff --git a/server/src/index.ts b/server/src/index.ts
index 09169b6..146682b 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -3,7 +3,6 @@ import express from 'express';
 import cors from 'cors';
 import dotenv from 'dotenv';
 import pinoHttp from 'pino-http';
-import rateLimit from 'express-rate-limit';
 
 import authRoutes from './routes/auth';
 import ticketRoutes from './routes/tickets';
@@ -38,16 +37,7 @@ app.get('/healthz', (_req, res) => {
   res.json({ status: 'ok' });
 });
 
-const loginLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 10,
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many login attempts. Try again in 15 minutes.' },
-});
-
 // Public
-app.use('/api/auth/login', loginLimiter);
 app.use('/api/auth', authRoutes);
 
 // Protected